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Abstract 

In this paper, we present a very important primitive called Information Checking Protocol 
(ICP) which plays an important role in constructing statistical Verifiable Secret Sharing (VSS) and 
Weak Secret Sharing (WSS) protocols. Informally, ICP is a tool for authenticating messages in 
the presence of computationally unbounded corrupted parties. Here we extend the basic bare-bone 
definition of ICP, introduced by Rabin et al. [3] and then present an ICP that attains the best 
communication complexity and round complexity among all the existing ICPs in the literature. We 
also show that our ICP satisfies several interesting properties such as linearity property which is 
an important requirement in many applications of ICP. 

Though not presented in this paper, we can design communication and round efficient statistical 
(i.e involves negligible error probability in computation) VSS and Multiparty Computation (MPC) 
protocol using our new ICP. 

Keywords: ICP, Information Theoretic Security, Statistical, Error Probability. 

1 Introduction 

1.1 Existing Literature and Existing Definition of ICP 

The notion of ICP was first introduced by Rabin et al. [3]. Rabin et al. [3] have used ICP for 
constructing a statistical WSS protocol which was further used to design a statistical VSS protocol. 
Since then many ICPs have been designed [3j [H [2] and used in constructing various statistical VSS 
P HE] and wss CO E] protocols. 

As described in [31 [TJ |2J, an ICP is executed among three parties: a dealer D, an intermediary 
INT and a verifier R. The dealer D hands over a secret value s to INT. At a later stage, INT is 
required to hand over s to R and convince R that s is indeed the value which INT received from D. 



1.2 Our New Definition of ICP 

The basic definition of ICP involves only a single verifier R [3j El [T] . We extend this notion to multiple 
verifiers, specifically to n verifiers/parties denoted by V = {Pi, . . . ,P n } out of which at most t are 
corrupted by unbounded powerful active adversary. Moreover D and INT are some specific party 
from V . Thus our ICP is executed among three entities: a dealer D € V, an intermediary INT G V 
and the entire set V acting as verifiers. Moreover, in contrast to the existing ICPs that deal with single 
secret, our ICP can deal with multiple secrets concurrently and thus achieves better communication 
complexity than multiple executions of ICP dealing with single secret. 

The multiple secret, multiple receiver ICP is useful in the design of efficient protocols for statistical 
VSS and WSS. Statistical VSS is possible iff n > 2t + 1 (provided a physical broadcast channel is 
available in the system) and for the design of statistical VSS with optimal resilience, we work with 
n = 2t + 1. As our ICP is useful in such context, we design our ICP as well with n = 2t + 1. Thus our 
ICP can be used for statistical VSS and WSS and they can be used for statistical MPC with optimal 
resilience (i.e n = 2t + 1). 



1.3 Our Network and Adversary Model 

We consider a setting with n parties (we also call them as verifiers) V = {Pi, Pi, . . . ,P n } with n = 
2t + l, that are pairwise connected by a secure (or private) channel. We further assume that all parties 
have access to a common broadcast channel (that allows any party in V to send some information 
identically to all other parties in V). We assume the system to be synchronous. Therefore the protocols 
operate in a sequence of rounds, where in each round, a party performs some local computation, sends 
new messages to the other parties through the private channels and broadcasts some information over 
the broadcast channel, then it receives the messages that were sent by the other parties in this round 
on the private and broadcast channels. 

The adversary that we consider is a static, threshold, active and rushing adversary having un- 
bounded computing power. The adversary, denoted by At, can corrupt at most t parties out of the 
n parties. The adversary controls and coordinates the actions of the corrupted/faulty parties in any 
arbitrary manner. We further allow the adversary to be rushing [2j, i.e. in every round of commu- 
nication it can wait to hear the messages of the honest parties before sending his own messages. We 
consider a static adversary, who corrupts all the parties at the beginning of the protocol. 

We assume that the messages sent through the channels are from a specified domain. Thus if a 
party receives a message which is not from the specified domain (or a party receives no message at 
all), then he replaces it with some pre-defined default message. Thus, we separately do not consider 
the case when no message or syntactically incorrect message is received by a party. 

1.4 Structure of ICP 

As in [S1H], our ICP is also structured into sequence of following three phases: 

1. Generation Phase: This phase is initiated by D. Here D hands over the secret S containing 
i elements from F (working field of ICP) to intermediary INT. In addition, D sends some 
authentication information to INT and verification information to individual verifiers in V . 

2. Verification Phase: This phase is initiated by INT to acquire an IC Signature on S that will 
be later accepted by every honest verifier in V . Depending on the behavior of D /INT, secret 
S OR S along with the authentication information, held by INT at the end of Verification 
Phase will be called as D's IC signature on S and will be denoted by ICSig(D, INT,V, S). 

3. Revelation Phase: This phase is carried out by INT and the verifiers in V . Here INT reveals 
ICSig(D, INT, V, S). The verifiers publish their responses after verifying ICSig{D, INT, V , S) 
with respect to their verification information. Depending upon the responses of the verifiers, 
every verifier Pj € "P either accepts ICSig(D, INT,V, S) or rejects it. 

1.5 The properties of ICP 

Our ICP satisfies the following properties (which are almost same as the properties, satisfied by the 
ICP of [31 [2]). In these properties, e is called the error parameter. 

1. ICP-Correctnessl: If D and INT are honest, then ICSig(D, INT,V, S) will be accepted in 
Revelation Phase by each honest verifier. 

2. ICP-Correctness2: If INT is honest then at the end of Verification Phase, INT possesses 
an ICSig(D,INT,V, S), which will be accepted in Revelation Phase by all honest verifiers, 
except with probability e. 

3. ICP-Correctness3: If D is honest, then during Revelation Phase, with probability at least 
(1 — e), every ICSig(D, INT, V, S') with S' ^ S, produced by a corrupted INT will be rejected 
by honest verifiers. 



4. ICP-Secrecy: If D and INT are honest then till the end of Verification Phase, S is infor- 
mation theoretically secure from At (that controls t verifiers in V). 

1.6 The Road-map 

In section [21 we present our novel ICP with its complete proof. In section El we compare our ICP 
with the existing ICPs and show that our ICP attains the best communication and round complexity 
among all existing ICPs. Section [4] introduces a definition and a notation for our ICP. Section [5] then 
concentrates on the linearity property of our ICP. Finally, we conclude this article in section [6l 

2 Our Novel ICP 

In this section, we present an ICP called as MVMS-ICP (MVMS stands for Multi Verifier Multi Secret). 
Protocol MVMS-ICP requires one round for Generation Phase and two rounds for Verification 
Phase and Revelation Phase each. 

To bound the error probability by e, our protocol MVMS-ICP operates over field F = GF(2 K ), 
where e > n2~ K . Hence we have |F| > j. Moreover we assume that n = poly(log -). Now each 
element from the field is represented by k = log|F| = O(log-) = 0(logn + log-) = O(log-) bits 
(the last equality in the above sequence follows from our assumption that n = poly (log -)). We now 
present an informal idea of MVMS-ICP. 

The Intuition: In MVMS-ICP, D selects a random polynomial F(x) of degree £ + t, whose lower order 
£ coefficients are the elements of S and delivers F(x) to INT. In addition, D privately delivers to each 
individual verifier Pj, the value of F(x) at a random, secret evaluation point oij. This distribution of 
information by D helps to achieve ICP-Correctness3 property. The reason is that if D is honest, 
then a corrupted INT cannot produce an incorrect F'(x) ^ F(x) during Revelation Phase without 
being detected by an honest verifier with very high probability. This is because a corrupted INT 
will have no information about the evaluation point of an honest verifier and hence with very high 
probability, F'(x) will not match with F(x) at the evaluation point held by an honest verifier. 

The above distribution by D also maintains ICP-Secrecy property. This is because the degree 
of F(x) is £ + t. But only up to t points on F(x) will be known to At through t corrupted verifiers. 
Therefore At will fall short by £ points to uniquely interpolate F(x). 

But the above distribution alone is not enough to achieve ICP-Correctness2. A corrupted D might 
distribute F(x) to INT and value of some other polynomial (different from F(x)) to each honest 
verifier. To detect this situation, INT and the verifiers interact in zero knowledge fashion to check 
the consistency of F(x) held by INT and the values held by individual verifiers. The specific details 
of the zero knowledge, along with other formal steps of protocol MVMS-ICP are given in Fig. [TJ 
We now prove the properties of protocol MVMS-ICP. 

Claim 1 If D and INT are honest then D will never broadcast S during Ver. 

Proof: Since INT is honest, he will correctly broadcast (d, B{x)) during Round 1 of Ver. So during 
Round 2 of Ver, D will find B(aj) = dvi + for all i = 1, . . . ,n. Thus D will never broadcast S 
during Ver. □ 

Lemma 1 (ICP-Correctnessl) If D and INT are honest, then ICSig(D, INT, V,S) produced by 
INT during Reveal will be accepted by each honest verifier. 

Proof: If D is honest, then (F(x),R(x)) held by honest INT and (ati,Vi,ri) held by honest verifier 
Pi will satisfy Vi = F(a.i) and r, = R(a.i). Moreover by Claim [H D will never broadcast S during Ver. 
Hence ICSig(D, INT,V, S) = F(x). Now every honest verifier Pi will broadcast Accept in Round 
2 of Reveal as condition CI i.e Vi = F{a.i) will hold. Since there are at least t + 1 honest verifiers, 
ICSig(D,INT,V,S) will be accepted by every honest verifier. □ 



Figure 1: Protocol MVMS-ICP with n = 2t + 1 Verifiers 



MVMS-ICP(L>, INT, V, S, e) 

Gen(Z>, INT, V, S, e) : This will take one round 
Round 1: 

1. D picks and sends the following to INT: 

(a) A random degree-(l + t) polynomial F(x) over F, such that the lower order I coefficients of 
F(x) are elements of S. 

(b) A random degree- (£ + t) polynomial R(x) over F. 

2. D privately sends the following to every verifier Pc 

(a) (ai,Vi,n), where an 6 F — {0} is random (all ai's are distinct), Vi = F(ai) and r» = R(oti). 

Ver(D, INT, V, S, e) : This will take two rounds 

Round 1: INT chooses a random d £ F \ {0} and broadcasts (d, B(x)) where B(x) — dF(x) + R(x). 
Round 2: D checks dvi + r t = B(ai) for i = 1, . . . , n. If D finds any inconsistency, he broadcasts S. 

If D has broadcasted 5", then ICSig(D, INT, V, S) = S, else ICSig(D, INT, V, S) = F{x). 
Reveal(_D, INT, V, S, e) : This will take two rounds 

Round 1 INT broadcasts ICSig(D, INT,V, S) (i.e either F{x) or 5). 
Round 2: Verifier Pi broadcasts Accept in the following conditions. 

1. If ICSig{D,INT,T>,S) = S, then if the 5* broadcasted by D in Round 2 of Ver is same as 
ICSig(D,INT,T,S). 

2. If ICSig{D, INT, V, S) = F(x), then if one of the following conditions holds. 

(a) CI: Vi = F(oti); OR 

(b) C2: B(cti) ^ dvi + Ti (B(x) was broadcasted by INT during Ver) and D did not broadcast 
S in Round 2 of Ver. 

Otherwise, Pi broadcasts Reject. 

Local Computation (By Every Verifier) : If at least (t + 1) verifiers have broadcasted Accept during 
Round 2 of Reveal then accept ICSig(D, INT,P, S). Else reject ICSig(D, INT, V, S). 



Claim 2 If D is corrupted and (F(x),R(x)) held by an honest INT and (aj,fj,rj) held by an honest 
verifier Pi satisfies F{ai) ^ vi and R[pn) ^ r« ; then except with probability ~, B(cti) ^ dvi + ri. 

Proof: We first prove that for (F(x),R(x)) held by an honest INT and (ai,Vi,ri) held by honest 
verifier Pj, there is only one non-zero d for which B(oii) = dvi + rj, even though F{a{) ^ vi and 
R{ai) rj. For otherwise, assume there exists another non-zero element e / d, for which B(oti) = 
evi + rj is true, even if F(cti) / Vi and R(cti) ^ rj. This implies that (d — e)F(cti) = (d — e)vi or 
F(a{) = Vi, which is a contradiction. Now since d is randomly chosen by honest INT only after 
D handed over (F(x),R(x)) to INT and (aj,i>j,rj) to Pi, a corrupted D has to guess d in advance 
during Gen to make sure that B(cti) = dvi + r^ holds. However, D can guess d with probability at 
most jfpi ~ Hence only with probability at most ^, corrupted D can ensure B(cti) = dvi + rj, 
even though F(aj) ^ V{ and i?(aj) 7^ rj. □ 

Lemma 2 (ICP-Correctness2) If INT is honest then at the end of Ver, INT possesses an ICSig 
(D,INT,V, S), which will be accepted in Reveal by all honest verifiers, except with probability e. 

Proof: We consider the case when D is corrupted, because when D is honest, the lemma follows 
from Lemma [TJ Now the proof can be divided into following two cases: 

1. ICSig(D, INT,V, S) = S: This implies that D has broadcasted S during Round 2 of Ver. 
In this case, the lemma holds trivially, without any error. This is because the honest INT 



will correctly broadcast ICSig(D, INT,V, S) = S during Round 1 of Reveal and every honest 
verifier will find that S broadcasted by INT is same as the one that was broadcasted by D 
during Round 2 of Ver. So all honest verifiers (at least t + 1) will broadcast Accept and hence 
ICSig(D, INT, V , S) will be accepted by all honest verifiers. 

2. ICSig{D, INT, V , S) = F(x): This implies that D has not broadcasted anything during Round 
2 of Ver. Here, we first show that except with probability f-, each honest verifier will broad- 
cast Accept during Reveal. So let Pi be an honest verifier. We have now the following cases 
depending on the relation that holds between the information held by INT (i.e (F(x),R(x))) 
and information held by the honest Pj (i.e («j, «j, r^)): 

(a) If F(cti) = Vf. Here Pi will broadcast Accept without any error probability as condition 
CI (i.e F(ai) = Vi) will hold. 

(b) If F(cti) ^ Vi and R(cti) = rf Here Pi will broadcast Accept without any error probability, 
as condition C2 (i.e B(cti) ^ dvi + n) will hold. 

(c) If F(ai) Vi and R(ai) ^ rf. Here Pi will broadcast Accept except with probability ^, as 
condition C2 will hold, except with probability ^ (see Claim [2]). 

As shown above, there is a negligible error probability of ^ with which an honest Pi may broadcast 
Reject when F(cti) ^ Vi and R(ai) ^ (i.e the third case). This happens if a corrupted D can 
guess the unique d in Gen, corresponding to Pi and it so happens that INT also selects the same 
d in Ver and therefore condition C2 does not hold good for Pi in Reveal. Now D can guess a di 
for each honest verifier P, and if it so happens that honest INT chooses d which is same as one 
of those t + 1 di's guessed by D, then condition C2 will not be satisfied for the honest verifier 
Pi for whom di = d and therefore Pj will broadcast Reject. This may lead to the rejection 
of ICSig(D, INT,V, S), as t corrupted verifiers may always broadcast Reject. But the above 
event can happen with error probability #^ = (i + 1) ^ » e. This is because there are t + 1 
diS and INT has selected some d randomly from F \ {0}. This implies that all honest verifiers 
will broadcast Accept during Reveal, except with error probability e. 

This completes the proof of the lemma. □ 

Lemma 3 (ICP-Correctness3) If D is honest then during Reveal, with probability at least 1 — e, 
every ICSig(D,INT,T J , S') with S' ^ S revealed by a corrupted INT will be rejected by honest 
verifiers. 

Proof: Here again we have the following two cases: 

1. ICSig{D,INT,V,S) = S: This implies that D has broadcasted S during Round 2 of Ver. In 
this case if a corrupted INT tries to reveal ICSig{D,INT,V,S') where S' ^ S then all honest 
verifiers (at least t + 1) will broadcast Reject during Reveal. This is because the honest verifiers 
will find that S' is not same as S which was broadcasted by D during Round 2 of Ver. 

2. ICSig(D, INT, V , S) = F{x): This implies that D has not broadcasted anything during Round 
2 of Ver. Here a corrupted INT can produce S' ^ S by broadcasting F'(x) ^ F(x) during Reveal 
such that the lower order £ coefficients of F'{x) is S' . We now claim that if INT does so, then 
except with probability ^, an honest verifier Pj will broadcast Reject during Reveal. In the 
following, we show that the conditions for which the honest verifier Pj would broadcast Accept 
are either impossible or may happen with probability -: 

(a) F'(ai) = vf. Since Pi and D are honest, corrupted INT has no information about Q!j,i?j. 
Hence the probability that INT can ensure F'{oti) = v j = P(ojj) is same as the probability 
with which INT can correctly guess oti, which is at most mzrn ~ ^ (since c% is randomly 
chosen by D from F). 



(b) B(aii) 7^ dvi + rf. This case is never possible because D is honest. If B{pn) ^ dvi + r, 
corresponding to Pj, then honest -D would have broadcasted S during Round 2 of Ver and 
hence ICSig(D, INT,V, S) would have been equal to S, which is a contradiction to our 
assumption that ICSig(D, INT,V, S) = F(x). 

As shown above, there is a negligible error probability of ^ with which an honest Pi may 
broadcast Accept, even if the corrupted INT produces F'{x) ^ F(x). This happens if the 
corrupted INT can guess a, corresponding to honest verifier Pj. Now there are t + 1 honest 
verifiers. A corrupted INT can guess Qj for any one of those t + 1 honest verifiers and thereby 
can ensure that F'{cti) = Vi holds for some honest Pj (which in turn implies Pi will broadcast 
Accept). This will ensure that L/VT's ICSig(D, INT,V, S') will be accepted, as t corrupted 
verifiers may always broadcast Accept. But the above event can happen with probability at 
most p^px = (t + 1)^; ~ £• This asserts that every ICSig(D,INT,V, S') with S' ^ S, revealed 
by a corrupted INT will be rejected by all honest verifiers with probability at least (1 — e). □ 

Lemma 4 (ICP-Secrecy) // D and INT are honest, then till the end of Ver, S is information 
theoretically secure from At (that controls t verifiers in V). 

Proof: During Gen, At will know t distinct points on F(x) and R(x). Since both F(x) and R(x) are 
of degree- {£ + t), the lower order £ coefficients of both F{x) and R(x) are information theoretically 
secure. During Ver, At will know d and dF(x) + R(x). Since both F(x) and R{x) are random and 
independent of each other, the lower order i coefficients of F{x) remain to be information theoretically 
secure. Also, if D and INT are honest, then D will never broadcast S during Ver (from Claim [1]). 
Hence the lemma. □ 



Theorem 1 Protocol MVMS-ICP is an efficient ICP. 

PROOF: Follows from Lemma [HO [3]and HI □ 

Theorem 2 (Round Complexity of MVMS-ICP) In protocol MVMS-ICP, Gen requires one round, 
Ver and Reveal requires two rounds each. 

Theorem 3 (Communication Complexity of MVMS-ICP) Protocol MVMS-ICP attains the fol- 
lowing bounds: (a) Protocol Gen privately communicates 0((£ + n) log -) bits, (b) Protocol Ver and 
Reveal requires broadcast of 0((£ + n) log \) bits each. 

Proof: In protocol Gen, D privately gives £ + t field elements to INT and three field elements to 
each verifier. Since each field element can be represented by k = C(log -) bits, Gen incurs a private 
communication of 0((£ + n) log ~) bits. In protocol Ver, INT broadcasts B(x) containing £ + t field 
elements, thus incurring broadcast of 0((£ + n) log -) bits. Moreover, D may broadcast 5 which will 
incur broadcast of 0{£\og -) bits. Therefore, in total Ver requires broadcast of 0((£ + n) log i) bits. In 
protocol Reveal, INT broadcasts F(x), consisting of £ + t field elements, while each verifier broadcasts 
Accept /Reject signal. So Reveal involves broadcast of 0{{£ + n) log -) bits. □ 

3 Comparison of MVMS-ICP with the ICPs of [3] and |2] 

Both the ICPs of [3] and [2] are designed in single verifier and single secret model. But they can be 
extended to the case of multiple (i.e. n) verifiers easily. Indeed in OH], the single verifier ICPs were 
executed in parallel for n verifiers in the implementation of VSS protocols. Moreover, as the protocols 
were designed for single secret, they can be extended for £ secrets by £ parallel invocations of the 
protocols. Since protocol MVMS-ICP is designed to handle n verifiers and £ secrets concurrently, in 
Table [H we compare our MVMS-ICP with the ICPs of [3] and [2] extended for n verifiers and £ secrets. 



Table 1: Communication Complexity and Round Complexity of protocol MVMS-ICP and Existing 
ICP with n = 2t + 1 verifiers and i secrets. 
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4 Few Remarks, Definitions and Notations on ICP 

4.1 MVMS-ICP with One Round of Reveal 

It is interesting to note that if we restrict the adversary At to a non-rushing adversary then the two 
rounds of Reveal can be collapsed into a single round where INT broadcasts ICSig(D,INT,V,S) 
and simultaneously every verifiers broadcast their values (ati,Vi,ri). It is easy to check that all the 
properties of ICP will hold in such a case. But in the presence of rushing adversary, the two rounds 
are needed in order to force a corrupted INT to commit to the polynomial F{x) prior to seeing the 
evaluation points, as this knowledge can enable the adversary to publish a polynomial that can match 
with the values broadcasted by the honest verifiers, which would violate the ICP-Correctness3 
property of the protocol. However, if the adversary is non-rushing then this property is achieved via 
the synchronicity of the step. Hence, we have the following theorem: 

Theorem 4 If the adversary is non-rushing then there exists an efficient ICP with one round in Gen, 
two rounds in Ver and one round in Reveal. 

4.2 A Definition and a Notation 

Definition 1 (IC Signature with e Error) An IC signature ICSig(D, INT,V, S) for some secret 
S, is said to have e error, if it satisfies the following: 1. ICP-Correctnessl without any error; 2. 
ICP-Correctness2 with error probability of at most e; 3. ICP-Correctness3 with error probability 
of at most e; 4- ICP-Secrecy without any error. 

Notice that if an IC signature is generated in MVMS-ICP (which is executed with error parameter 
e), then the IC signature will have e error. This follows from the proofs of Lemma [H [21 El and [H 

Notation 1 (Notation for Using MVMS-ICP) We say that: 1. "D sends ICSig(D,INT,P, S) 
having e error to INT " to mean that D executes Gen(D, INT, V , S, e); 2. "INT receives ICSig(D, INT, 
V,S) having e error from D" to mean that the parties have executed Ver(D, INT,V, S,e); 3. "INT 
reveals ICSig(D, INT,V, S) having e error" to mean that Reveal(D, INT,V, S, e) has been executed. 

Clearly if D sends ICSig(D, INT, V, S) to INT in i th round, then INT will receive ICSig(D, INT, 
V , S) in (i + 2) th round, as Ver requires two rounds. 

5 Linearity of Protocol MVMS-ICP 

The IC signature generated in MVMS-ICP satisfies linearity property, which may be required in 
many applications of ICP (specifically in statistical VSS and MPC [21 [3]). Specifically, consider the 
following settings: let in q different instances of MVMS-ICP, D has handed over IC Signature on q 
different set of i secrets to INT, namely S% = (sj, . . . ,sj), fori = l,...,q. Moreover, let D has 



used the same on as secret evaluation point for verifier Pi in all the q instances of MVMS-ICP (an 
honest D can always ensure it). This condition on is very important and we refer this as the 
condition for linearity of IC signatures. Though linearity property accounts for any form of linear 
function, we will demonstrate the linearity property with respect to addition operation (for simplic- 
ity). So let S = Si + . . . + S q , where S = (s\ . . . , s e ) and s l = s[ + . . . + s l q , for I = !,...,£. 
Now INT can compute ICSig(D, INT,V, S) using ICSig{D, INT,V, Si) for i = 1, . . . , q and the 
verifiers can compute verification information corresponding to ICSig(D, INT,V, S), without doing 
any further communication. For the sake of completeness, we present a protocol in Fig. [2] showing 
how INT and verifiers can achieve the above. Informally in the protocol we use the linearity prop- 
erty of polynomials. That is, if ICSig(D,INT,V, Si) = Fi(x) and ICSig{D,INT,V, S 2 ) = F 2 (x), 
then ICSig(D,INT,V,Si + S 2 ) = Fi(x) + F 2 {x). Similarly, if F x (oii) and F 2 ( ai ) are the verifi- 
cation information of verifier Pi corresponding to ICSig(D, INT,V, S\) and ICSig(D, INT,V, S 2 ) 
respectively, then F\(ai) + F 2 (ai) will be the verification information of verifier Pi corresponding to 
ICSig(D,INT,V,Si + S 2 ). 

In the protocol, it might be possible that some ICSig(D, INT,V, Si) is a polynomial of degree 
£ + t (this implies that D has not broadcasted anything during Ver of i th signature giving instance), 
while some other ICSig(D,INT,T J , Sj) is Sj (this implies that D has broadcasted Sj during Ver of 
j signature giving instance). In such a case, INT finds a i + t degree polynomial Fj(x), whose lower 
order £ coefficients are elements of Sj and the remaining coefficients are some publicly known default 
values and assumes the polynomial to be ICSig(D, INT, V, Sj). Notice that such Fj{x) will be known 
publicly, as Sj is broadcasted by D. Accordingly, every verifier Pi considers Fj(ai) as his verification 
information corresponding to ICSig(D, INT,V, Sj). Once this is done then all the q IC signatures 
will be £ + 1 degree polynomials and hence INT can use the linearity property of the polynomials (as 
explained above) to compute the addition of IC signatures. 

Now we show that a linearly combined IC signature that is computed from q IC signatures (using 
protocol in Fig. [2]), each having e error, will have e error. For this, we prove the following lemma: 

Lemma 5 Assuming each of the q individual IC signatures, ICSig(D, INT,V, Sj) has e error, the 
linearly combined IC signature, ICSig(D, INT,V, S) will also have e error. 

Proof: We will examine each of the four properties of IC signature one by one depending on whether 
D and/or INT are honest or corrupted. When D and INT are honest, then it is easy to see that 
ICSig(D, INT,V, S) will abide by ICP-Correctnessl and ICP-Secrecy without any error. 

Now when D is honest and INT is corrupted, ICSig(D, INT,V, S) satisfies ICP-Correctness3 
with error probability e, which is same as the error of individual IC signatures. This is because, here 
the error probability depends on correctly guessing one of the honest Pj's a« (recall that same cti is 
associated with Pi corresponding to all the individual IC signatures). 

Finally, we show that when D is corrupted and INT is honest, ICSig(D, INT,V, S) satisfies 
ICP-Correctness2 with error probability e. The worst case that causes this error probability is: 

1. To every honest verifier Pi, D gives Vji ^ Fj(ai) and rji ^ Rj(ai), corresponding to exactly one 
j € {l,-..,q}; 

2. For all other j G {1, . . . ,q}, D gives Vji = Fj(ai) and = Rj(cti) to every honest verifier Pi. 

In this case, from the proof of LemmaEl Bj(cti) ^ djVji + djrji will not hold for some honest Pi, ex- 
cept with probability e. Now notice that if D delivers Vji,rji satisfying Vji ^ Fj{cti) and rji ^ Rj(oti) 
for more j's, then D has to guess more dj's and hence the probability with which D can guess all 
those dj's will decrease beyond e. Hence we proved that when D is corrupted and INT is honest, 
ICSig(D,INT,V, S) satisfies ICP-Correctness2 with error probability e. Hence the lemma. □ 

The linearity of IC signatures also captures the following case: Let in an execution of MVMS-ICP, 
D has handed over IC Signature on a set of £ secrets to INT, say b l , . . . ,b e . That is at the end of Ver, 
INT holds ICSig(D,INT,V, (b 1 ,... ,b^)). Also let (a 1 , . . . , a ) are some publicly known values. Now 



Figure 2: Linearity of Protocol MVMS-ICP Over Addition Operation. 



Assumption: 

1. D has sent ICSig(D, INT, V, Sj) having e error to INT, for j = 1, . . . , q, where Sj = (s), . . . , sj). Let D 
has used the same at as secret evaluation point for verifier Pi in all the q instances for giving IC signatures. 
Moreover, let INT has used random value dj in Round 1 of Ver for j th signature giving instance of MVMS- 
ICP. 

2. INT has received ICSig(D, INT,V, Sj) having e error from D. 

3. For every j g {l,...,g}, such that ICSig(D, INT,V, Sj) is a polynomial of degree + t, let 
ICSig(D,INT,V,Sj) = F 3 {x), i.e D had used Fj(a;) to hide Sj. Moreover let P % has the verification 
information Vji, which is supposed to be same as Fj(cti). 

Local Computation to Compute Addition of IC Signatures: 

1. For all j e {1, . . . , q}, such that ICSig(D, INT, V, Sj) = Sj , INT assumes a degree £ + t polynomial Fj (x) 
whose lower order £ coefficients are the elements of Sj and the remaining coefficients are some publicly known 
default values. Notice that such Fj(x) polynomials will be known publicly. For every such Fj(x), verifier Pi 
computes his verification information as Vji = Fj(ai) . 

2. Now to compute ICSig(D, INT,V, S), INT sets F(x) = E*=i- F i( a; ) and assigns ICSig(D, INT,T, S) = 
F(x). 

3. Every verifier Pi computes his verification information corresponding to ICSig(D, INT, V,S) in the following 
way: v t = J2j=i v n- 

Revelation of Linear IC Signature: 

1. INT broadcasts ICSig(D,INT,V,S) (i.e F(x)). 

2. Verifier Pi broadcasts Accept if one of the following conditions holds. 

(a) CI: Vl = F(ai); OR 

(b) C2: For some j 6 {1, . . . , q}, Bj(ai) J= djVji + Vji (Bj(x) was broadcasted by INT during Round 
1 of Ver of j signature giving instance) and D has not broadcasted Sj in Round 2 of Ver of j 
signature giving instance. 

Otherwise, Pi broadcasts Reject. 

Local Computation (By Every Verifier): If at least (t + 1) verifiers have broadcasted Accept then accept 
ICSig(D, INT, V, S) and hence S. Else reject ICSig(D, INT, V,S). 



INT can compute ICSig(D, INT, V, (b 1 — a 1 , . . . , b e — c/)) and similarly verifiers can update their 
verification information accordingly, by doing local computation. Later in Reveal, INT can reveal 
ICSig(D, INT, V , (b 1 — a 1 , ... ,br — a )) to the verifiers. Moreover, the above idea can be extended 
for any number of IC signatures and any number of sets containing publicly known values. 

Note 1 We would like to alert that linearity of IC signatures holds only when all the IC signatures 
are generated by same party, say P (who acts as a dealer). Moreover, P should abide by the condition 
for the linearity of IC signatures. Linearity does not hold on the IC signatures that are generated by 
different parties, as they will not satisfy condition for the linearity of IC signatures (because different 
parties may choose different cti for verifier Pi in their signature giving instance). 

6 Conclusion and Open Problems 

In this paper, we have extended the basic bare-bone definition of ICP, introduced by Rabin et al. [3] 
and subsequently followed by [HE], to capture multiple verifiers and multiple secrets concurrently. 
Then we have presented a novel ICP (matching with our definition) that turns out to be the best 
ICP in the literature as per the round and communication complexity. We then showed that our 
ICP satisfies the linearity property. We now conclude this paper with the following interesting open 
questions: Can we improve the round and communication complexity of MVMS-ICP when n = 2t + 1? 



This leads to a more general question: What is the round and communication complexity lower bound 
for ICP with n = 2t + 1 verifiers? ICP can be studied in multi verifier and multi secret settings 
in asynchronous network where we may investigate the issues like communication efficiency etc. An 
initiative in this direction has been taken in [3]. 
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